The official Peach app uses SSL and they also do certificate pinning in the requests, that's not a problem. The problem is that Peach's server side authorisation token does not expire when you 'log out' and you can reuse the token.
The issue is mainly got to do with third party apps + this flaw in Peach's API. There is already one[0] which has reversed the Peach API, and the flaw is still present. What happens when another third-party Peach app comes out and does not use SSL, you can still use Peach's API without SSL and it does not default to HTTPS.
This sort of flaw would lead to a similar issue to the Snapsaved leak[1].
Then a major factor in this vulnerability is that the API does not exclusively use TLS to secure all communication. You might want to clarify that in the blog post.
Newgrounds (sponsoring development of Ruffle) are already using Ruffle on some of their flash content.
[0] https://ruffle.rs
[1] https://github.com/ruffle-rs/ruffle